Sql Audit logs ingestion

Question

Hi there,

I have recently ingested SQL Audit Logs and I can view them under security events table.

The event ID that I'm checking is 33205.

However, when I check the logs, the Event Data is quite complicated and very tough to understand.

I just want to know on how to parse the data and also monitor for alerts.

We want to monitor alerts mainly for CRUD operations in database.

I have attached the snip of event data below for your reference.

Also if you can suggest with any use cases for the above, it would be very helpful.

Would appreciate your help on the above query.

Answer 1

Hi Geeta,

Thanks for your response.
Can you please explain the context of your approach?

When I click on merge audit files, what is the result?

As of now I can see logs in SQL audit logs in sentinel under the event id 33205. When I open the log, I can see that event data is quite gibberish and not parsed properly.
I wanted to check if we can get the event data in appropriate format so I can monitor for alerts.

Regards,
Mohit.

Answer 2

Hi Geeta,
Please find attached screenshots from sentinel for further clarity.

Answer 3

Hi Geeta,
Thanks for the response.

Just to simplify my question, if you refer to my screenshots, you can see EventData.

I want to parse that information as this chunk of data is too much for me to understand. I want to parse the data and add them to columns so that it makes more sense and can be easily understood by the team. I have tried couple of methods to parse the data, but it didn't work for me. So requesting your help in providing response asap.